I wasn't actually looking for security holes -- this one just stood out. Actually, programs that run under Dosbox are not supposed to have any more control over your system than your typical web page ([In]activeX controls excluded). Any dos virus could only affect the files that Dosbox has access to …

This is a sample exploit showing a flaw in Dosbox's program system. In order for Dosbox to have built-in programs like COMMAND.COM, MEM.COM, etc., it sets up a handler with the callback system (usually #4), and then creates a virtual file on the system containing the callback instruction (FE 38). …